Two initiatives to bring a higher level of security to the cloud are coming together at one time.
The Defense Department and the Federal Risk Authorization Management Program (FedRAMP) are on similar glide paths heading toward a set of high baseline standards, and a set of cloud service providers ready to meet those needs.
Matt Goodrich, the FedRAMP director, said the Joint Authorization Board (JAB), made up of the chief information officers from the departments of Defense and Homeland Security, and the General Services Administration, are reviewing comments on the high baseline and expect to finalize the standards in the coming month.
At the same time, FedRAMP is piloting the high security standards with a few vendors and with agencies, such as DoD or DHS, that have systems that need more security.
At the same time, DoD approved its second vendor to provide cloud services that meet Level 5 security requirements, which is data that is sensitive but unclassified and just below assigned a “classified” classification.
IBM said it received a “conditional” authority to operate from the Defense Information Systems Agency to put some DoD data and systems in its secure cloud immediately.
DoD approved Amazon Web Services at cloud security model levels 3-5 in August 2014. The cloud security model is the pre-cursor to DoD’s current policy under the security requirements guide (SRG).
What’s important about IBM’s approval is it’s for a cloud service already in use. IBM said its cloud services are hosted at the Allegany Ballistics Laboratory (ABL) data center in West Virginia, which is owned by the Department of the Navy and leased by IBM.
“ABL was recently designated as Special Purpose Processing Node (SPPN) by the Department of Navy (DoN) CIO, who stated that after a technical assessment review, ABL represents significant value to the DoN’s overall data center consolidation strategy and will continue to support DoN, DoD, and intelligence community missions, hosting production, business operations, research and development, and engineering environments,” said an IBM spokesman. “We see much potential here as agencies in DOD are seeking flexible, secure solutions where they can implement hybrid approaches that combine on-premise, off-premise environments.”
IBM says the set up at ABL also is the first cloud with a direct connection to DoD’s internal network known as the Nonsecure Internet Protocol Router Network (NIPRNet).
Both of these awards — to IBM and Amazon — are part of DoD’s broader strategy to focus on risk in the cloud rather than whether a contractor meets all of the standards.
IBM also has received JAB approval for its mobility management service cloud offerings as a software-as-a-service, and for its infrastructure-as-a-service Smartcloud for Government solution.
By receiving Level 5 approval from DoD, Amazon and IBM receive a head start when FedRAMP’s high baseline is finalized. It also gives other agencies, whether DHS or the Justice or Treasury departments, access to experienced vendors and confidence in moving sensitive but unclassified data or systems to the cloud.